In this section, we describe our four round MPC protocol that achieves security against any ma- licious PPT adversary that corrupts a dishonest majority of parties. We obtain our result by “compiling” any three-round semi-malicious MPC protocol in which the first message of the pro- tocol is public-coin (i.e., an honest party simply samples a random string and sends it as the first message) into a four round maliciously secure protocol.
Formally, we prove the following theorem.
Theorem 12. Assuming polynomially secure:
• DDH or Quadratic Residuosity or Nth Residuosity, AND
• a three round semi-malicious MPC protocol πSM for any functionality f secure against a dishonest majority and the first round is public coin,
the protocol π presented below is a four round MPC protocol for f secure against a dishonest majority.
[BHP17, GS18, BL18]20construct such three round semi-malicious protocols. Instantiating the above theorem with the constructions of [GS18, BL18], we get the following corollary.
Corollary 13. Assuming polynomially secure:
• DDH or Quadratic Residuosity or Nth Residuosity,
the protocol π presented below is a four round MPC protocol for any functionalityf.
Below, we first list the ingredients used in our construction, followed by some relevant notation. We formally describe our MPC protocol in Section 7.3.
20Note that [GS18, BL18] construct two round semi-malicious MPC protocols and hence they are trivially three
Ingredients. We list all the cryptographic ingredients that are used in our MPC protocol. As mentioned in the introduction, our construction uses a Promise ZK argument system in a non- black-box manner, and therefore we list all of its ingredients separately.
• NCom is a non-interactive commitment scheme based on injective one way functions.
• WZK = (WZK1,WZK2,WZK3,WZK4) is a three-message delayed-input distributional weak
zero-knowledge argument system, where the algorithmWZK4 is used to compute the decision
of the verifier. Such a scheme was constructed by Jain et al.[JKKR17] based on DDH or Quadratic Residuosity orNth Residuosity assumption.
• ECom = (ECom1,ECom2,ECom3,ExtECom) is the three-message delayed-input extractable
commitment scheme described in Section 7.1 based on injective one way functions. We set the rewinding parameter B associated with ECom to be 4. Here ExtECom is the extractor
algorithm associated withECom s.t. given an admissible input set consisting of 5 well-formed execution transcripts of theEComprotocol that share the same first round message, ExtECom
outputs all of the committed values with overwhelming probability.
• TDGen = (TDGen1,TDGen2,TDGen3,TDOut,TDValid,TDExt) is a three-message trapdoor
generation protocol as defined in Section 4 based on one way functions. The first three algorithms are used to generate the messages of the protocol while TDOut computes the receiver’s output. Algorithm TDValid determines whether an input trapdoor value is valid w.r.t. the first message of a protocol transcript. AlgorithmTDExtcomputes a valid trapdoor given three protocol transcripts that share the same first round message.
• WI = (WI1,WI2,WI3,WI4) is a three-message delayed-input witness-indistinguishable argu-
ment system, where WI4 is used to compute the decision of the verifier. Such schemes are
known from injective one-way functions [LS90].
• RWI = (RWI1,RWI2,RWI3,RWI4) is a three round delayed-input witness-indistinguishable
argument with non-adaptive B-rewinding security (for B = 6) as well as reusability security (see Definition 6 in Section 4 and 19 in Appendix C). Informally, by non-adaptive rewinding security, we mean that the verifier challenges are non-adaptive, that is - the second round message of the verifier in all the threads (main and rewound) are committed in advance be- fore the challenger responds to any of them in the third round. This means that the verifier generates each second round query independent of the third round response to the previous query. This rewinding security property suffices for our MPC construction.
We describe how to construct the protocolRWIin Appendix C based on DDH or Quadratic Residuosity or Nth Residuosity assumption. Briefly, we consider protocol 6 of [JKKR17] that is non-adaptive unbounded rewinding and reusable secure and instead instantiate the ZAP in that protocol with our bounded rewinding secure WI from Appendix A to achieve only non-adaptive bounded rewinding and reusability security. We elaborate more on it in Appendix C.
• NMCom = (NMCom1,NMCom2,NMCom3) is the three-message special non-malleable com-
mitment scheme of Goyal et al. [GPR16] satisfying Definition 4. It is based on injective one way functions. Let ExtNMCom denote the PPT extractor associated with the 2-extraction
• πSM is a three-round semi-malicious MPC protocol with the first round being public coin. Let (πSM
1 , π2SM, π3SM) denote the algorithms used by any party to compute the messages in
each of the three rounds andOUT denotes the algorithm to compute the final output. Also, letTransi denote all the messages sent in an execution of πSM up to the completion of round
i. Let S = (S1,S2,S3) denote the straight line simulator for this protocol, where Si is the simulator’s algorithm to compute theith round messages.
Notation. Let P1, . . . ,Pn denote the n parties, and let λ denote the security parameter. For simplicity, without loss of generality, we assume that nis at most λ. We consider communication in the broadcast model where all of the protocol messages are sent over a broadcast channel. Below, we describe some additional notation:
• We augment our notation with i → j in the superscript to denote that a message is being sent by partyPi with party Pj as the intended recipient.
• The round number of any sub-protocol (such as the non-malleable commitment, bounded rewinding secure WI arguments etc.) is written in the subscript.
• We use two instantiations of the extractable commitment schemeECom in our construction. We useaand b in the subscript to differentiate between the two.
NP Languages. In our construction, we use proofs for the following NP languages:
• Language L1 is characterized by the following relation R1:
Statement : st=nc
Witness : w=rnc
R1(st,w) = 1 if and only ifnc=NCom(1;rnc)
In our protocol, we use this language for delayed-input distributional WZK proofs. When restricting our attention to such proofs between partiesPiand Pj, wherePi is the prover and
Pj is the verifier, we denote the corresponding language by Li1→j.
• Language L2 is characterized by the following relation R2:
Statement : st= {ecoma,i}3i=1,{ecomb,i}3i=1,msg2,Trans1,{nmcomi}3i=1,td1,nc
Witness : w= (inp,r,ra,ecom,rb,ecom,t,rnmcom,rnc) R2(st,w) = 1 if and only if :
1. Either (ecoma,1,ecoma,2,ecoma,3) or (ecomb,1,ecomb,2,ecomb,3) is a well-formed tran-
script of ECom w.r.t. input (inp,r) and randomness ra,ecom (see Definition 14), and msg2 is an honestly computed second round message in protocol πSM w.r.t. input inp
and randomnessrand round 1 protocol transcript Trans1 (OR)
2. (nmcom1,nmcom2,nmcom3) is a transcript of a non-malleable commitment to a valuet
that is a valid trapdoor w.r.t. td1. (OR)
3. ncis a commitment to 0.
Formally,R2(st,w) = 1 if and only if : – ecoma,1 =ECom1(ra,ecom) AND
– ecoma,3 =ECom3(inp,r,ecoma,1,ecoma,2;ra,ecom) AND – msg2=πSM2 (inp,Trans;r) AND
– (ecoma,1,ecoma,2,ecoma,3) is well-formed w.r.t. input (inp,r) and randomnessra,ecom
(OR)
– ecomb,1=ECom1(rb,ecom) AND
– ecomb,3=ECom3(inp,r,ecomb,1,ecomb,2;rb,ecom) AND – msg2=πSM2 (inp,Trans1;r) AND
– (ecomb,1,ecomb,2,ecomb,3) is well-formed w.r.t. committed value (inp,r) and randomness rb,ecom.
(OR)
– TDValid(td1,t) = 1 AND
– nmcom1=NMCom1(rnmcom) AND
– nmcom3=NMCom3(t,nmcom1,nmcom2;rnmcom).
(OR)
– nc=NCom(0;rnc).
In our protocol, we use languageL2 for bounded-rewinding secure delayed-inputRWIproofs.
When restricting our attention to such proofs between parties Pi and Pj, where Pi is the prover andPj is the verifier, we denote the corresponding language by Li2→j.
• Language L3 is characterized by the following relation R3:
Statement : st= {ecoma,i}i3=1,{ecomb,i}3i=1,msg3,Trans2,{nmcomi}3i=1,td1
Witness : w= (inp,r,ra,ecom,rb,ecom,t,rnmcom) R3(st,w) = 1 if and only if :
1. Either (ecoma,1,ecoma,2,ecoma,3) or (ecomb,1,ecomb,2,ecomb,3) is a well-formed tran-
script of ECom w.r.t. input (inp,r) and randomness ra,ecom (see Definition 14), and msg3 is an honestly computed third round message in protocolπSM w.r.t. inputinpand randomnessr and round 2 protocol transcriptTrans2 (OR)
2. (nmcom1,nmcom2,nmcom3) is a transcript of a non-malleable commitment to a valuet
that is a valid trapdoor w.r.t. td1.
The formal description ofR3 is similar to R2; we skip the details to avoid repetition.
In our protocol, we use language L3 for delayed-input WI proofs between parties. When
restricting our attention to such proofs between partiesPiand Pj, wherePi is the prover and
Pj is the verifier, we denote the corresponding language by Li3→j.